Malicious host detection
Abstract
A method for detecting malware software in a computer system includes accessing a plurality of hostnames for a malware server from a computer system infected with malware and attempting to communicate with the malware server, each hostname including a plurality of symbols in each of a plurality of symbol positions; training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes: a set of input units for each possible symbol and symbol position in a hostname; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and identifying infected computer systems based on their attempted communication to hostnames having symbols in symbol positions consistent with the tuples in the set.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method for detecting malware software in a network connected computer system comprising:
accessing a plurality of hostnames for a malware server from a training computer system infected with malware and attempting to communicate with the malware server, each of the plurality of hostnames including a plurality of symbols in each of a plurality of symbol positions;
training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes:
a set of input units for each possible symbol and symbol position in a hostname, output units each for storing an output of the autoencoder, and
a set of hidden units smaller in number than the set of input units and each interconnecting all input units and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units;
selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and
identifying an infected computer system based on an attempted communication, by the infected computer system, to hostnames having symbols in symbol positions at least partially consistent with the tuples in the set of one or more symbol and symbol position.
2. The method of claim 1 , wherein, responsive to the identifying, the method further comprises implementing a responsive measure to mitigate an effect or further spread of malware infecting the identified infected computer system.
3. The method of claim 2 , wherein the responsive measure includes one or more of:
preventing network communication by the identified infected computer system;
instigating at least one of a malware removal process or a virus removal process for the identified infected computer system;
flagging the identified infected computer system; or
using the identified infected computer system to generate a second plurality of hostnames for further training the autoencoder.
4. The method of claim 1 , wherein the attempted communication by the infected computer system includes storage of a hostname by the computer system for use in communicating with another computer system by way of the hostname.
5. The method of claim 1 , wherein each input unit corresponds to a symbol and a symbol position in a hostname.
6. The method of claim 1 , wherein the autoencoder is trainable using a backpropagation algorithm for adjusting weights of interconnections between the input units, the output units, and the hidden units of the autoencoder.
7. The method of claim 1 , wherein training the autoencoder further includes using a gradient descent algorithm.
8. A computer system comprising:
a processor and memory storing computer program code for detecting malware software in a network connected computer system by:
accessing a plurality of hostnames for a malware server from a training computer system infected with malware and attempting to communicate with the malware server, each of the plurality of hostnames including a plurality of symbols in each of a plurality of symbol positions;
training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes:
a set of input units for each possible symbol and symbol position in a hostname,
output units each for storing an output of the autoencoder, and
a set of hidden units smaller in number than the set of input units and each interconnecting all input units and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units;
selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and
identifying an infected computer system based on an attempted communication, by the infected computer system, to hostnames having symbols in symbol positions at least partially consistent with the tuples in the set of one or more symbol and symbol position.
9. A non-transitory computer-readable storage element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer system to perform the method as claimed in claim 1 .Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.